Payment fraud has evolved beyond isolated schemes directed by individual malefactors; it now functions through a sophisticated ecosystem designed to facilitate large-scale attacks. This industrialization of fraud is underpinned by tailored infrastructure, bundled toolkits, and service-oriented models, effectively allowing perpetrators to maximize their fraud activities with minimal technical skills.
The Annual Payment Fraud Intelligence Report: 2025 from Recorded Future cites advancements in technology and professionalized support services as pivotal factors driving this trend.
Take the Magecart e-skimmer supply chain as a prime illustration. With ready-made e-skimmer kits and Malware-as-a-Service (MaaS) offerings, even those lacking technical expertise can now compromise e-commerce platforms on a massive scale. The "Sniffer by Fleras" kit, for example, accounted for nearly a quarter of all e-skimmer infections documented in 2025. It features a user-friendly web portal for crafting malicious scripts coupled with a management server for harvested data. Consequently, over 10,500 unique Magecart infections were recorded, jeopardizing upwards of 23 million transactions throughout the year.
Furthermore, the “AcceptCar” e-skimmer, identified in the latter half of 2025, showcases how these services have matured. Installation and operation on compromised e-commerce sites are managed by service operators, while fraudsters share between 50% to 70% of their earnings from card data. Such platforms make extensive compromise operations accessible to actors who lack the resources to run their infrastructure.
Similarly, purchase scam operations exemplify this trend. According to Recorded Future's insights, there were over 3,600 fraudulent merchant accounts identified in 2025—a significant increase from previous years—spanning more than 40 countries and 230 acquirers. This growth indicates a highly organized approach to establishing fraudulent payment infrastructures.
Common patterns in how these scammers register merchants suggest they've standardized their acquisition processes, allowing for rapid deployment of fraud operations through low-friction methodologies.
Card testing has also followed the same industrial logic, with Telegram-based services validating around 27 million card records in 2025 using publicly accessible generation and testing channels. Moreover, more than 1,350 legitimate merchant accounts were exploited for testing, most of which were new registrations that had not been flagged prior to 2025, indicating a systematic approach to evade detection.
The Upstream Concentration of the Ecosystem
What's noteworthy is that most of these attack vectors operate upstream of where fraud transactions happen. E-skimmer infections and scam merchants typically compromise card information during online transactions, while card testing verifies the compromised data before it is monetized.
Though the consequences of fraud are evident, the mechanisms enabling such outcomes often remain obscured. "Fraud outcomes are visible, but the pathways that enable them are often not." This industrial scale requires standardization, which in turn produces observable patterns that can be tracked and analyzed.
For instance, with 26% of e-skimmer infections linked to a single toolkit and scammers using predictable merchant registration practices, the interconnections making fraud scalable also render it easily identifiable. Such convergence allows for the detection of indicators of compromise across various fraud networks.
Current tracking shows that Magecart infections can be detected prior to the harvesting of card data, while scam merchants frequently exhibit recognizable signs such as recent domain registrations and discrepancies in merchant categorization.
Card testing activities also hint at potential monetization attempts. Each of these stages offers a critical chance to intervene before fraud leads to financial losses.
Transaction Monitoring: A Misplaced Focus
Current transaction monitoring and anomaly detection systems typically focus on identifying irregular behavior at the point of payment—such as atypical spending or geographic inconsistencies. While effective, these systems are blind to the industrialized pre-monetization phases that fraudsters have designed to evade detection.
Purchase scams are explicitly constructed to sidestep transaction-based safeguards by manipulating cardholders into authorizing fraudulent payments, thus masking the illegitimacy of the transaction. Card testing strategies prioritize new merchants to avoid historical red flags; essentially, a detection framework based solely on transaction activity is always one step behind.
With the volume of undetected activities on the rise—such as a more than fourfold increase in purchase scams—financial services must bolster their defenses by integrating proactive monitoring of upstream indicators.
Addressing the Gaps with Recorded Future Payment Fraud Intelligence
Recorded Future's Payment Fraud Intelligence offers a comprehensive monitoring solution that covers each of these upstream fraud stages.
The system enables daily tracking of Magecart-infected sites as well as enriched merchant data that integrates seamlessly with transaction monitoring protocols. This approach can identify high-risk merchants long before stolen card information hits the market. Additionally, the Scam Merchants dataset can reveal fraudulent accounts and their domains preemptively—before victims are victimized or card data circulates in illicit markets.
Monitoring card tester activity can highlight which portfolios are at risk before criminals attempt to monetize them. By staying ahead of the standardization trends among threat actors, a single detected threat can provide invaluable insights across a vast network.
Remarkably, data from Recorded Future indicates that 75% of compromised cards are identified ahead of any fraudulent transaction, and 90% of compromised card assets are flagged within hours of a breach.
As the fraud ecosystem continues to mature, the opportunities for preemptive action are likely to expand. Financial institutions equipped with visibility into these indicators can act decisively before loss occurs, while those without such intel may find themselves responding too late.
Explore the full findings of this year’s Annual Payment Fraud Intelligence Report: 2025 for an in-depth look at current trends.